MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KoiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c
SHA3-384 hash: 224487c096f045530afa44eecb6d8c8482874d356ff93f509a0bd74cfc3ac00e0677073d6d5f2219c6cc27fa7172c5e5
SHA1 hash: e9a2dbcf2bf6bead0f46c60b7b8b5ffcf0dcfc50
MD5 hash: 6bef4f06938cf2569a3ad26a9827269a
humanhash: table-lima-don-west
File name:Chasebank_Statement_May lnk
Download: download sample
Signature KoiLoader
Create hunting rule
File size:3'049 bytes
First seen:2024-06-05 10:44:42 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8bJN8UiKkPA9PA+/0YyfzB4p8IEa0/idd+IAI0OXuHY88r/Z26Uz1m:8n5kY2trB4SIEaRdkIPXuHgrZ26q1
TLSH T1105100113AEE4725E3F28E3740B7A662997FBC46DE31DA5D0160414C28A2B00DC79F7B
Reporter JAMESWT_WT
Tags:dsestimation-com KoiLoader lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.FireForYou.20221018.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6660534131703c6eb905482cwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Minerva Dexter
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c/results/dashboard
Payload URLs
URL
File name
D:\DocGuard-Api\AppData\20c5ed76-8cc5-4993-acb6-a702d1cbe91c\2bb9c192-dd86-4cd7-aafb-527abb430a17\Chasebank_Statement_May.lnk
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd lolbin masquerade schtasks wscript
Link:
https://www.filescan.io/uploads/666041b00bf5978c0b0c8772/reports/3fe5fa88-4b16-44c1-833f-4c9f430ba290/overview
Verdict:
Suspicious
Labled as:
Trojan.Link
Link:
https://www.hybrid-analysis.com/sample/22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1452280
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Curl Download And Execute Combination
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Wscript starts Powershell (via cmd or directly)
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1452280 Sample: Chasebank_Statement_May lnk.lnk Startdate: 05/06/2024 Architecture: WINDOWS Score: 100 54 www.dsestimation.com 2->54 56 dsestimation.com 2->56 62 Antivirus detection for URL or domain 2->62 64 Antivirus detection for dropped file 2->64 66 Windows shortcut file (LNK) starts blacklisted processes 2->66 68 13 other signatures 2->68 8 wscript.exe 1 1 2->8         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 70 Windows shortcut file (LNK) starts blacklisted processes 8->70 72 Suspicious powershell command line found 8->72 74 Wscript starts Powershell (via cmd or directly) 8->74 78 2 other signatures 8->78 17 powershell.exe 14 16 8->17         started        20 powershell.exe 11->20         started        22 powershell.exe 13->22         started        76 Uses schtasks.exe or at.exe to add and modify task schedules 15->76 24 curl.exe 2 15->24         started        27 conhost.exe 1 15->27         started        29 schtasks.exe 1 15->29         started        process6 dnsIp7 50 C:\Users\user\AppData\...50O8FQOC45LK8.js, ASCII 17->50 dropped 31 wscript.exe 17->31         started        34 conhost.exe 17->34         started        36 schtasks.exe 1 17->36         started        38 conhost.exe 20->38         started        40 schtasks.exe 1 20->40         started        42 wscript.exe 20->42         started        44 conhost.exe 22->44         started        46 schtasks.exe 1 22->46         started        48 wscript.exe 22->48         started        58 dsestimation.com 109.106.251.61, 443, 49733, 49734 NETNET-ASRS Serbia 24->58 60 127.0.0.1 unknown unknown 24->60 52 C:\Users\user\AppData\...\HYgncxmQatsP.js, ASCII 24->52 dropped file8 process9 signatures10 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c/
Threat name:
Win32.Trojan.Koiloader
Create hunting rule
Status:
Malicious
First seen:
2024-06-03 22:36:07 UTC
File Type:
Binary
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elhelksoympusn4hf6yv22xhq4liyd22qom7kfg5nhso5s64a5oa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution
Link:
https://tria.ge/reports/240605-mtds2aec24/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22ce45aa4ec31f4937872fb15d6ae787168c0f5a8399f514dd69e4eecbdc075c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments